Usually, this happens because the account password was changed outside of the Users & Groups preference pane in System Preferences and now Secure Token and the account password are out of sync with each other.

Up until today, the only fix I knew of for that situation was to back up the data and wipe the drive. However, it looks like there is a workaround that fixes the password problem and sorts out the Secure Token attribute for the account on a decrypted laptop. For more details, please see below the jump.

To fix the account, the resetFileVaultpassword tool needs to be run from macOS Recovery. To access this tool, use the following procedure:

Thank you! This worked perfectly. During a setup of a new laptop the original user was replaced with a new one, once I attempted to activate FileVault a server error or a failed to convert user error message appeared, this solution saved me from having to wipe the drive and start from scratch, cheers !

Thanks! This was the only thing that worked for me, including removing .AppleSetupDone to attempt to run SetupAssistant and create a new user admin account with the token. Apparently that trick had been used once before and now SetupAssistant just goes to “Setting up your Mac…” instead of the Create User Account workflow. (I tried removing Receipts, plists and caches with no luck either) One small caveat with resetFileVaultpassword is that if you have existing user’s with SecureTokens (that may have out of sync passwords and not be usable), it’ll force you to try to authorize with those users instead, and then fail to add the SecureToken to the reset account (Failed to Add User / Failed to convert user). The workaround for this was to remove the ;SecureToken; attribute from the AuthenticationAuthority of any users that have it by using either dscl or Directory Utility and then re-attempt resetFileVaultpassword at which point it will prompt you to reset ALL users passwords and add the SecureToken attribute. As a fun aside, if you add the ;SecureToken; attribute manually to a user, sysadminctl -secureTokenStatus will report that Secure token is ENABLED, but they still won’t be able to use FileVault. Lastly, I’ll mention that manually adding a Configuration profile that forced FV2 enabled hoping to get a SecureToken for the enabling user also did not work and clicking “Turn on FileVault…” would do nothing.